3033861d0602d6984533979d09984a5c7ae4ff33afcbd45923bd6fb66900551d

Analysis

max time kernel
120s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
06/08/2024, 05:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

63846f0545e6163d027a52bd567bb6d0N.exe
Size

2.6MB
MD5

63846f0545e6163d027a52bd567bb6d0
SHA1

e6946c7f988f31b4efb315246147b007ea3675d6
SHA256

3033861d0602d6984533979d09984a5c7ae4ff33afcbd45923bd6fb66900551d
SHA512

ce3896e7ec819730a6722efac618394cb28888bbd5e4bfb143f15af197b88559a6f016604b3eacdd0d4c982bf956b7358dc6c33fdd5fa58433bab4ba71c67d84
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBbB/bS:sxX7QnxrloE5dpUpgb

Score

9^/10

credential_access discovery persistence spyware stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe	63846f0545e6163d027a52bd567bb6d0N.exe

Executes dropped EXE 2 IoCs

pid	Process
4024	locdevopti.exe
2216	devbodsys.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrv4C\\devbodsys.exe"	63846f0545e6163d027a52bd567bb6d0N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxYR\\optixec.exe"	63846f0545e6163d027a52bd567bb6d0N.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	63846f0545e6163d027a52bd567bb6d0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	locdevopti.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	devbodsys.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2468	63846f0545e6163d027a52bd567bb6d0N.exe
2468	63846f0545e6163d027a52bd567bb6d0N.exe
2468	63846f0545e6163d027a52bd567bb6d0N.exe
2468	63846f0545e6163d027a52bd567bb6d0N.exe
4024	locdevopti.exe
4024	locdevopti.exe
2216	devbodsys.exe
2216	devbodsys.exe
4024	locdevopti.exe
4024	locdevopti.exe
2216	devbodsys.exe
2216	devbodsys.exe
4024	locdevopti.exe
4024	locdevopti.exe
2216	devbodsys.exe
2216	devbodsys.exe
4024	locdevopti.exe
4024	locdevopti.exe
2216	devbodsys.exe
2216	devbodsys.exe
4024	locdevopti.exe
4024	locdevopti.exe
2216	devbodsys.exe
2216	devbodsys.exe
4024	locdevopti.exe
4024	locdevopti.exe
2216	devbodsys.exe
2216	devbodsys.exe
4024	locdevopti.exe
4024	locdevopti.exe
2216	devbodsys.exe
2216	devbodsys.exe
4024	locdevopti.exe
4024	locdevopti.exe
2216	devbodsys.exe
2216	devbodsys.exe
4024	locdevopti.exe
4024	locdevopti.exe
2216	devbodsys.exe
2216	devbodsys.exe
4024	locdevopti.exe
4024	locdevopti.exe
2216	devbodsys.exe
2216	devbodsys.exe
4024	locdevopti.exe
4024	locdevopti.exe
2216	devbodsys.exe
2216	devbodsys.exe
4024	locdevopti.exe
4024	locdevopti.exe
2216	devbodsys.exe
2216	devbodsys.exe
4024	locdevopti.exe
4024	locdevopti.exe
2216	devbodsys.exe
2216	devbodsys.exe
4024	locdevopti.exe
4024	locdevopti.exe
2216	devbodsys.exe
2216	devbodsys.exe
4024	locdevopti.exe
4024	locdevopti.exe
2216	devbodsys.exe
2216	devbodsys.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2468 wrote to memory of 4024	2468	63846f0545e6163d027a52bd567bb6d0N.exe	86
PID 2468 wrote to memory of 4024	2468	63846f0545e6163d027a52bd567bb6d0N.exe	86
PID 2468 wrote to memory of 4024	2468	63846f0545e6163d027a52bd567bb6d0N.exe	86
PID 2468 wrote to memory of 2216	2468	63846f0545e6163d027a52bd567bb6d0N.exe	87
PID 2468 wrote to memory of 2216	2468	63846f0545e6163d027a52bd567bb6d0N.exe	87
PID 2468 wrote to memory of 2216	2468	63846f0545e6163d027a52bd567bb6d0N.exe	87

C:\Users\Admin\AppData\Local\Temp\63846f0545e6163d027a52bd567bb6d0N.exe
"C:\Users\Admin\AppData\Local\Temp\63846f0545e6163d027a52bd567bb6d0N.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2468
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:4024
- C:\SysDrv4C\devbodsys.exe
  C:\SysDrv4C\devbodsys.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2216

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\GalaxYR\optixec.exe

Filesize
2.6MB

MD5
18c93fdfa0e52d91cd784ffc73dff385

SHA1
942f7f923689573a7c2625aefa9c0226ee06681a

SHA256
e63336f21ffada8282b957c97719235e10d1bd0e2e848f40f5286ce066c8693d

SHA512
6b0079c82a6658a8a229fa26989b5021b7e84e23b712e0cc3a996d39c97c43fdbc59cd6bc4e95e00f476d4be3b6d0b368a357da58af7ddbfeffbe6ee078be7d6

Download Submit
C:\GalaxYR\optixec.exe

Filesize
1.6MB

MD5
5696f8cb7b3197c901ec9e7d36c1037c

SHA1
147d3c98835baf107d251c46319b17d864a5d9fb

SHA256
faec6758106bd7e3f106395953741cb0e1128a72a52543bcbb665a4880450bbb

SHA512
0664f9e9b980457ff15835fbb66e8331c37b9d3229ddd077f3653ebcb3e1772ede12d7c262c612e49877cb7cd2149ad48aafae3294418229ecbe0a9eb11c36f6

Download Submit
C:\SysDrv4C\devbodsys.exe

Filesize
1.2MB

MD5
a8a3f5c8a306408a9d69bd140db67622

SHA1
35e61a4760dc153dd09e6db1d3b402dce89b5e0d

SHA256
08e09b083fb7e40398408233997c98f5eda8c4186687f2cd081aef00c41d3465

SHA512
2cce7bff0c0dcfa2e542694ac0cbf3f274087715615a645ce759c99280cc84c4976b5ca8a04398f4a69eecc2398ee0da8516433c625b52715df34a5032b3e1b6

Download Submit
C:\SysDrv4C\devbodsys.exe

Filesize
2.6MB

MD5
2e0d4671c32129f0e30a54e4b7bfa82c

SHA1
c9ef00e52c466b5dc1a4f7474dd04d5ed57acca8

SHA256
3cd41be7239512569b943a4f48f6f11a3881d16ae31e05810c8d197cb7a80dba

SHA512
a5b462275dce4eac1aeffde167081817dc2e47593cf02918ba999b251abde3be0e4abf694e2bfcfc2558b53d67d2dc9d7ac2f3ab6b695e263e85e5e621c39ae7

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
207B

MD5
105ec10af36c5267ff02644539574de7

SHA1
005f46ee922759764f46faa06897c06ffc9a9247

SHA256
6b56408b7ac9781505f89ced320ed936ef498e5917147b20d703a8f7e8993bfe

SHA512
06ba3d4d181871c71511435ae2fefc60be2ed589750b4062e1cc3ed9f57cdf4f1747ee6f129749f499bf9e377a6721d3cb40afa133a51e24b685c96dfa8b5283

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
175B

MD5
ac6e02802f010c3c095223a42c014d02

SHA1
7bcf3c01f59f123b4619202400721a88e1725e93

SHA256
b71f8e015b90cefaf2dbcbca4502485cd90d3afcbb5e104f05e01818648375ca

SHA512
0b8db0f952f293b53cf5372804301c3d120477a3e90828265eb4f0f9464902ac8de787ed8390d9e149dfc3963c0b73e48ec62d3d718e5a3693b5d2b4dd69a5c9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe

Filesize
2.6MB

MD5
1c93eb8f3eb4e6577a3cf2a94afb2bbd

SHA1
331f723e9552839666c9e8402ce04ee7fca8064f

SHA256
bac1e20f31ddc80c54752ed6e952378db3f908a0bfd5834f12a0b2de98957032

SHA512
54c364d7ca149be98f3c1892869dbbb65b165ba16c5dd0af21b20b984e9552d74efe77d4a59d6c990b682adb8ac13427cc8c3dedd1a4dab57e47838b3da08669

Download Submit